We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Weekly Roundup of Data Issues - 3 May 2016

The government is continuing its crackdown on cold calling, with Baroness Neville Rolfe, Minister for Data Protection, announcing that direct marketing companies registered in the UK will be required to display their caller id as part of a set of new rules brought in to tackle this problem. The new rules, which come into force on 16 May 2016, should make it easier to track unwanted cold callers and make it easier for the public to make complaints. The rules also applies also to call centres which are based outside the UK.

This latest update follows a significant number of fines from the Information Commissioner’s Office (ICO), amounting to close to £1 million. Cold calling companies hiding their details will risk fines of up to £2 million from Ofcom on top of £500,000 from the ICO. Companies are advised to review their use of cold calling and whether they make use of any outsourced call centre arrangements.

Kent police force has been fined £80,000 by the Information Commissioner’s Office (ICO)for serious breaches of the Data Protection Act (DPA), after it handed sensitive personal information (as defined in section 2 of the DPA) relating to an alleged domestic abuse victim to the solicitor of the suspect. As part of their investigation, Kent police force obtained the complainant's phone, which purportedly contained video evidence of the alleged offence. It also contained a large amount of sensitive personal information, including text messages and family photographs.

The force took a copy of the contents of the complainant’s phone, and, in breach of the DPA, sent the entire contents to the solicitor of the suspect, who subsequently disclosed it to the suspect.

Whilst the suspect was entitled to see the evidence against him, the other sensitive personal data on the phone should not have been provided. The ICO highlighted that Kent police force had “no procedure for checking the contents of material prepared for disclosure ...even in cases involving highly sensitive personal information”.

It is imperative for police forces generally to adopt adequate policies and practices to prevent future breaches of the DPA, or more fines can be expected in the future. This case also serves to highlight the importance of investing in robust data handling processes in relation to preparing documents for disclosure. In this case the sensitive data should have been redacted or else marked as being confidential/ subject to privilege.

The Information Commissioner’s Office (ICO) forces local council to implement data protection training for staff

Following numerous data protection audits, the ICO has served an enforcement notice on West Dunbartonshire Council forcing it to get its data protection practices in order. The ICO has ordered mandatory training for all staff, including an annual refresher course. The council is also required to implement a working from home policy and conduct working from home safety assessments for compliance with the DPA. In 2014, the council suffered a data breach when an employee reported a bag containing sensitive confidential information as stolen. Councils without adequate policies and procedures in place can expect a similar visit from the ICO and risk heavy fines if personal data is lost or accessed unlawfully.

The ICO has dipped its toes into the Brexit debate, releasing a short statement last week. Flagging that UK data laws “precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU”, the ICO suggested that changes to UK data laws would be minimal.

Despite the ostensible lack of concern from the ICO, a Brexit could potentially have a significant impact on data protection rules. For example, the UK’s status as a safe destination for EU personal data may need to be approved by the EU Commission. In absence of approval (or in the interim period before approval) extra requirements, such as use of model contractual clauses, may be necessary to ensure that data transfers between the UK and the EU are lawful. Further, ECJ-made laws, such as the “right to be forgotten”, may not apply in the UK post-Brexit.

Ultimately, the extent of change would depend on how the UK renegotiated its relationship with Europe.